CVE-2026-31958

HIGHPre-NVD 7.57.5
EchelonGraph scoreMEDIUM confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 92% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.5Exploit: NoneExposed: 0

A fix is available — apply it.

Tornado is vulnerable to DoS due to too many multipart parts

In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.

Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.

CVSS v3
7.5
EG Score
7.5(medium)
EPSS
29.5%
KEV
Not listed

Published

March 12, 2026

Last Modified

March 12, 2026

Patch Availability(18)

Vendor / EcosystemFixed in / PatchReleasedSource
ubuntupython3-tornado (6.5.4-0.1ubuntu0.1) @ resolute2026-06-12ubuntu
ubuntupython3-tornado (6.0.3+really5.1.1-3ubuntu0.1~esm5) @ focal2026-06-12ubuntu
redhatrhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9:17800692222026-06-10redhat
redhatpython-tornado-0:4.2.1-5.el7_9.32026-06-08redhat
redhatpython-tornado-0:6.4.2-2.el9_6.32026-05-26redhat
redhatpython-tornado-0:6.4.2-1.el9_2.22026-05-26redhat
redhatpython-tornado-0:6.4.2-1.el9_4.22026-05-26redhat
redhatpython-tornado-0:6.4.2-1.el10_0.22026-05-26redhat
redhatpython-tornado-0:6.5.5-1.el9_82026-05-19redhat
redhatpython-tornado-0:6.5.5-1.el10_22026-05-19redhat
redhatpython-tornado-0:6.5.5-1.el9_7.12026-05-05redhat
redhatpython-tornado-0:6.5.5-1.el10_1.12026-05-05redhat
redhatpcs-0:0.11.1-10.el9_0.112026-04-29redhat
redhatpcs-0:0.10.15-4.el8_8.112026-04-29redhat
redhatpcs-0:0.10.8-1.el8_4.112026-04-29redhat
redhatpcs-0:0.10.12-6.el8_6.132026-04-29redhat
redhatrhoai/odh-llama-stack-core-rhel9:17751444032026-04-23redhat
redhatpcs-0:0.10.18-2.el8_10.92026-04-14redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
tornado0.2 ... 6.5b1 (80 versions)6.5.5

Additional Vendor Advisories

(2)

Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.

Data Freshness Timeline

(refreshed 8× in last 7d / 49× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 16:27 UTCEPSS rescore
  2. 2026-07-06 16:27 UTCEPSS rescore
  3. 2026-07-06 02:23 UTCEPSS rescore
  4. 2026-07-06 02:23 UTCEPSS rescore
  5. 2026-07-05 02:30 UTCEPSS rescore
  6. 2026-07-04 06:31 UTCEPSS rescore
  7. 2026-07-01 15:06 UTCEPSS rescore
  8. 2026-06-30 23:22 UTCEPSS rescore
  9. 2026-06-29 07:02 UTCOSV refresh
  10. 2026-06-28 14:07 UTCEPSS rescore
  11. 2026-06-28 14:07 UTCEPSS rescore
  12. 2026-06-28 04:56 UTCEPSS rescore
  13. 2026-06-28 04:56 UTCEPSS rescore
  14. 2026-06-27 03:08 UTCEPSS rescore
  15. 2026-06-25 13:49 UTCEPSS rescore
  16. 2026-06-25 13:49 UTCEPSS rescore
  17. 2026-06-24 14:05 UTCEPSS rescore
  18. 2026-06-23 21:33 UTCEPSS rescore
  19. 2026-06-23 21:33 UTCEPSS rescore
  20. 2026-06-22 14:25 UTCEPSS rescore
  21. 2026-06-22 14:25 UTCEPSS rescore
  22. 2026-06-21 14:56 UTCEPSS rescore
  23. 2026-06-21 14:56 UTCEPSS rescore
  24. 2026-06-21 01:59 UTCEPSS rescore
  25. 2026-06-19 19:25 UTCEPSS rescore
Show 24 more
  1. 2026-06-19 19:25 UTCEPSS rescore
  2. 2026-06-18 17:52 UTCEPSS rescore
  3. 2026-06-18 17:52 UTCEPSS rescore
  4. 2026-06-17 17:53 UTCEPSS rescore
  5. 2026-06-16 17:52 UTCEPSS rescore
  6. 2026-06-15 17:49 UTCEPSS rescore
  7. 2026-06-14 23:18 UTCEPSS rescore
  8. 2026-06-13 23:00 UTCEPSS rescore
  9. 2026-06-12 23:12 UTCEPSS rescore
  10. 2026-06-12 23:12 UTCEPSS rescore
  11. 2026-06-12 00:16 UTCEG score recompute
  12. 2026-06-12 00:16 UTCVendor advisory
  13. 2026-06-11 14:00 UTCEPSS rescore
  14. 2026-06-10 22:18 UTCEPSS rescore
  15. 2026-06-10 19:05 UTCEG score recompute
  16. 2026-06-10 19:05 UTCVendor advisory
  17. 2026-06-10 13:22 UTCEPSS rescore
  18. 2026-06-10 06:07 UTCEG score recompute
  19. 2026-06-10 06:07 UTCVendor advisory
  20. 2026-06-09 16:57 UTCEG score recompute
  21. 2026-06-09 16:57 UTCVendor advisory
  22. 2026-06-08 20:42 UTCEG score recompute
  23. 2026-06-08 20:42 UTCVendor advisory
  24. 2026-06-08 20:41 UTCOSV refresh

Frequently asked(5)

What is CVE-2026-31958?
CVE-2026-31958 is a high vulnerability published on March 12, 2026. Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of…
When was CVE-2026-31958 disclosed?
CVE-2026-31958 was first published in the National Vulnerability Database on March 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-31958 actively exploited?
CVE-2026-31958 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 29.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-31958?
CVE-2026-31958 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-31958?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-31958, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-31958

Explore →

Is Your Infrastructure Affected by CVE-2026-31958?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.